CVE-2023-31421 - OpenCVE

It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Elastic	Elastic Agent Elastic Fleet Server Elastic Beats Apm Server

Configuration 1 [-]

cpe:2.3:a:elastic:elastic_beats:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:elastic:elastic_agent:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:elastic:apm_server:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:elastic:elastic_fleet_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://discuss.elastic.co/t/beats-elastic-agent-apm-server-and-fleet-server-8-10-1-security-update-improper-certificate-validation-issue-esa-2023-16/343385	Vendor Advisory
https://www.elastic.co/community/security	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: elastic

Published: 2023-10-26T03:10:52.684Z

Updated: 2023-10-26T03:10:52.684Z

Reserved: 2023-04-27T18:54:56.705Z

Link: CVE-2023-31421

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-26T04:15:16.000

Modified: 2024-02-15T19:39:22.410

Link: CVE-2023-31421

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-31421", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2023-04-27T18:54:56.705Z", "datePublished": "2023-10-26T03:10:52.684Z", "dateUpdated": "2023-10-26T03:10:52.684Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Beats", "vendor": "Elastic", "versions": [{"status": "affected", "version": "8.0.0, 8.9.2"}]}, {"defaultStatus": "unaffected", "product": "Elastic Agent", "vendor": "Elastic", "versions": [{"status": "affected", "version": "8.0.0, 8.9.2"}]}, {"defaultStatus": "unaffected", "product": "APM Server", "vendor": "Elastic", "versions": [{"status": "affected", "version": "8.0.0, 8.9.2"}]}, {"defaultStatus": "unaffected", "product": "Fleet Server", "vendor": "Elastic", "versions": [{"status": "affected", "version": "8.0.0, 8.9.2"}]}], "datePublic": "2023-09-19T15:32:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: var(--wht);\">It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected.</span>"}], "value": "It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2023-10-26T03:10:52.684Z"}, "references": [{"url": "https://discuss.elastic.co/t/beats-elastic-agent-apm-server-and-fleet-server-8-10-1-security-update-improper-certificate-validation-issue-esa-2023-16/343385"}, {"url": "https://www.elastic.co/community/security"}], "source": {"discovery": "UNKNOWN"}, "title": "Beats, Elastic Agent, APM Server, and Fleet Server Improper Certificate Validation issue", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elastic_beats:*:*:*:*:*:*:*:*", "matchCriteriaId": "F350E05B-DF03-4D1F-95A4-4F6C14DD1640", "versionEndIncluding": "8.9.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elastic_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CB5A9F5-BEFA-472C-A29B-4E71F2B19609", "versionEndIncluding": "8.9.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:apm_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E6E46E9-87C4-4422-AB28-811252254A88", "versionEndIncluding": "8.9.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elastic_fleet_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F77F3ECE-C5B8-4BBB-B1B5-986DBCA2C0EE", "versionEndIncluding": "8.9.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected."}, {"lang": "es", "value": "Se descubri\u00f3 que cuando actuaban como Clientes TLS, Beats, Elastic Agent, APM Server y Fleet Server no verificaban si el certificado del servidor es v\u00e1lido para la direcci\u00f3n IP de destino; sin embargo, a\u00fan se realiza la validaci\u00f3n de la firma del certificado. M\u00e1s espec\u00edficamente, cuando el cliente est\u00e1 configurado para conectarse a una direcci\u00f3n IP (en lugar de un nombre de host), no valida los valores IP SAN del certificado del servidor con esa direcci\u00f3n IP y la validaci\u00f3n del certificado falla y, por lo tanto, la conexi\u00f3n no se bloquea como se esperaba."}], "id": "CVE-2023-31421", "lastModified": "2024-02-15T19:39:22.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "bressers@elastic.co", "type": "Secondary"}]}, "published": "2023-10-26T04:15:16.000", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/beats-elastic-agent-apm-server-and-fleet-server-8-10-1-security-update-improper-certificate-validation-issue-esa-2023-16/343385"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "bressers@elastic.co", "type": "Secondary"}]}